The flaw is an inappropriate XML parsing implementation in Google Chrome before version 149.0.7827.53 that lets a remote attacker deliver a specially crafted XML file and trigger the injection of arbitrary scripts or HTML into the browser’s user interface. Because the injected code runs inside the Chrome process, the attacker can perform actions with the same privileges as that process, potentially compromising confidential data stored in memory or manipulating the browser environment.

All users of Google Chrome on the stable channel whose browser versions are older than 149.0.7827.53 are impacted, regardless of operating system. The vulnerability exists in Windows, macOS, and Linux builds where the default XML parsing logic is applied.

The CVSS score of 8.1 indicates a high severity issue, but the EPSS score of less than 1% suggests that active exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog, further implying limited observed use. Based on the description, it is inferred that the attack vector requires a remote attacker to supply the malicious XML file, possibly through email attachments, network shares, or malicious websites. Once processed, the injected scripts execute with Chrome process privileges, raising risks to the confidentiality and integrity of data within the browser context. Although no public exploit has been documented, the theoretical impact remains significant if the flaw is leveraged by a determined adversary.